(1) Field of Invention
The present invention relates to a system and method for monitoring and enforcing information flow security in software systems and, more specifically, to a system for maintaining security tags and reference counts for objects in computer memory.
(2) Description of Related Art
Runtime monitoring is a computer system analysis technique that is based on extracting information from a running system and using such information to detect and react to observed behaviors that satisfy or violate specified properties, such as information flow security properties. Runtime monitor of information flow security is known to be extremely computationally intensive because it amounts to monitoring each program statement (or machine instruction) using several additional program statements (or machine instructions). Fundamentally, runtime monitoring is an exercise of mirroring every aspect of program execution, which implies at least a 100% runtime overhead and most likely several times more than that. Moreover, conventional runtime monitoring techniques mirror standard runtime environment operations such as automatic memory management and exceptional handling, which further multiplies the imposed overhead.
Some research prototypes have been developed that are directed to dynamic information flow tracking (DIFT), such as dynamic taint tracking systems. As previously noted, such systems (e.g., see the List of Incorporated Literature References, Literature Reference Nos. 4 and 6) have typically been research prototypes. These state-of-the-art systems suffer for the high runtime overhead due to having to mirror all program operations all the time.
Prior art in information flow tracking has not considered how to aggregate dynamic checks in any form. This is a challenge because typical runtime monitoring of information flow must mirror all operations in lockstep to maintain soundness. Other competing approaches (see Literature Reference Nos. 5 and 6) have generally attempted to optimize runtime monitoring by eliminating certain forms of tracking and minimizing the amount and complexity of code that needs to be tracked, but generally these processes still have large slowdowns because of extensive operation mirroring requirements.
In other work, Cohen et al (see Literature Reference No. 3) considered using information flow properties to secure transactional memory. However, they did not consider how to utilize hardware transactional memory to address and respond to information flow security violations.
Birgisson et al. (see Literature Reference No. 2) developed a technique for enforcing Authorization Policies in multithreaded environments using transactional memory introspection. This technique relies on software transaction memory and is limited to enforcing authorization.
Architecture based techniques were described in Literature Reference Nos. 7 and 10), which used either emulation or actual hardware to assist in tracking information flow security for running programs. This approach is often the most comprehensive, being able to monitor information flows throughout the software stack including operating systems and even bootloaders. However, because it intervenes at the lowest level, it can also be considered an approach that would be considerably invasive since it requires changes to the hardware or at least the running of all software on top of a non-standard emulator.
Dynamic binary instrumention or dynamic binary rewriting takes a program binary and rewrites it on-the-fly (see Literature Reference Nos. 6 and 9). This approach can monitor information flow in unmodified third-party software binaries but the runtime overhead is typically very high.
Source code instrumentation was described in Literature No. 11. Their process applied a technique similar to dynamic binary instrumentation except at the source code level. This is essentially a kind of inlining of monitoring code. It is faster than dynamic binary instrumentation but does not apply to unmodified third-party software binaries. Moreover, it is unclear how this technique would apply to monitoring information across program boundaries.
Compile-time checking for type-safe languages was described in Literature No. 8, which concentrates on checking of all information flow security properties at compile-time through checking of language constructs tailored for encoding information flow properties. This approach requires modification of the programming language itself and also rewriting of programs to take advantage of the new information flow-aware program language. Thus, this technique is quite invasive.
Thus, a continuing need exists for a system for monitoring and enforcing information flow security in software systems, and particularly one with a reduced runtime overhead in comparison to the prior art that is operable for maintaining security tags and reference counts for objects in computer memory.